I have attended several conferences where researchers and practitioners describe some type of early warning system for cyber attacks. Some predictive systems involve the sharing of threat intelligence of attackers’ TTPs; others involve forecasting of cyber attacks based on data from network telescopes, honeypots, and automated intrusion detection / prevention systems; some use information from the Dark Web; while still others track emergence of zero days or vulnerabilities as predictive markers. So I was eager to learn more about the research being performed by IARPA when I heard Mr. Rob Rahmer speak at a recent conference about the CAUSE  program he is leading or the Cyber-attack Automated Unconventional Sensor Environment. I wondered what types of unconventional sensors were involved, what new analysis algorithms were invented, and what results were being achieved. I was very gratified when Mr. Rahmer accepted my interview request to discuss these questions and more. So read the interview below to learn more about this fascinating research being conducted by IARPA.

Spotlight on Mr. Robert Rahmer

» Title: Mr. Robert Rahmer, Program Manager, Intelligence Advanced Research Projects Activity (IARPA)

» Website: https://www.iarpa.gov/index.php/research-programs/cause

» LinkedIn: https://www.linkedin.com/in/robert-r-58003168

Read his bio below.

February 19, 2019

Chris Daly, Active CyberTM: Cyber-attack Automated Unconventional Sensor Environment (CAUSE) is one of the programs in your portfolio. When did CAUSE start, what are the objectives of CAUSE and what were the generating factors that led to CAUSE?

Mr. Robert Rahmer, Program Manager Intelligence Advanced Research Projects Activity (IARPA): CAUSE research officially kicked off in 2016. CAUSE seeks to develop new automated methods for forecasting and detecting cyber-attacks, significantly earlier than existing methods. The CAUSE Program aims to develop and validate unconventional multi-disciplinary sensor technology that will forecast cyber-attacks and complement existing advanced intrusion detection capabilities.

The idea for CAUSE was cultivated from several open research problems and advances in data science, utilization of open source data, and attack prediction. Threat intelligence utilizing external data sources has been useful in identifying existing attacks and further details about threats. Lastly, the IARPA OSI program has leveraged open source, publicly available external data sources to develop methods for forecasting other types of events.

As a Computer Scientist and former cybersecurity practitioner and analyst, too much time was spent responding to, and investigating, discovering, and analyzing the artifacts from cyber-attacks that already occurred or were in their later stages, and we needed ways to detect them earlier through new signals.

Ultimately, instead of receiving reports of the relevant cyber events that occurred for a given day or in previous days, decision makers would benefit from knowing what is likely to happen tomorrow or in the next few days based on recent and relevant data.

Active CyberTM: What characteristics of a cyber attack do you focus on for your forecast – the type of attack, severity, TTPs, timing, location of attacks [virtual and physical]?

Mr. Rahmer: We focus on the time the event occurred, the time it was detected/reported, the type of attack, the victim and sources (mostly virtual) of the attacks. Teams are researching and identifying various features that could be used for predicting future attacks. Additionally, CAUSE is attempting to advance the state of the art by predicting cyber attack event details, such as phishing email subject lines and other attributes, enabling more specific defensive measures.

Active CyberTM: What variables or emerging indicators do you use to help your predictions? How far in advance do you try or are you able to forecast? How granular or precise are your predictions? Do attack rates matter?

Mr. Rahmer: Social media is a potentially promising indicator. One goal of CAUSE is to forecast several days in advance. Researchers are attempting to provide high fidelity forecasts that should contain actionable details. Historical attack rates matter for training purposes, although we are evaluating forecasts for individual events.

Active CyberTM: What types of conventional sources do you use to capture warnings or possible indicators of future attacks – honeypots? Network telescopes/sinks? Threat exchanges?

Mr. Rahmer: We are currently evaluating the predictive value of the various data and signals that are contributing to forecasts.

Active CyberTM: What types of unconventional signals do you use – such as social media sentiment? Darkweb? What characteristics of these signals lend themselves to accurate prediction?

Mr. Rahmer: We are currently evaluating the accuracy of predictions utilizing many signals and their characteristics. In addition to social media sentiment, researchers are evaluating the predictive value of social media volume and occurrence of precursor events. Each of these has shown promise, although they are weak signals individually. Teams are still working on improving their methods to fuse these weak signals together to generate accurate, detailed warnings.

Active CyberTM: What types of attacks are easiest to forecast? Hardest? Why? What level of “stealth attack” are you able to forecast accurately?

Mr. Rahmer: It is our goal to have these answered by the end of the program, although the sophistication of attacks is not measured by the program.

Active CyberTM: What types of research history do you find in this area? What technology or new algorithms are you exploring and using as part of your research? Do you leverage natural language processing and machine learning in discovering unconventional signals and developing your indicators of possible attack? What new ground are you breaking?

Mr. Rahmer: CAUSE research is attempting to fuse together traditional, internal signals with external signals to provide predictions of future cyber events. Most previous research focused on internal data to predict the likely next step of an attacker once inside an enterprise through attack graphs and other methods that rely heavily on the internal defensive posture and less on external or attacker-related data. Researchers are exploring and expanding existing ML and NLP methods, although it would not be prudent to discuss until they can be evaluated.

Active CyberTM: What roles do human analysts play in the cyber attack forecasting process? Any psychics 🙂 ?

Mr. Rahmer: One of the goals of CAUSE is to automatically generate forecasts, not mitigation activities, essentially removing the human from the loop of forecast generation. The scope of CAUSE research did not include the exploration of human cyber-forecasting methods, therefore, no psychics were discovered or revealed themselves during the execution of this research program. Human cyber analysts remain critical in the process for cyber discovery and mitigation, and one lesson learned through CAUSE research was the amount of subjectivity built into security operations processes that add variance to the accurate detection, classification, and reporting of cyber events. This was observed during the ground truth development process where we needed to encode cyber events into CAUSE cyber events for training and evaluation, making it quite challenging.

Active CyberTM: What level of computing power and storage resources are needed to perform the forecasting that you are researching? Does your approach require “supercomputer” scale to provide accurate and timely forecasts?

Mr. Rahmer: Given the scope of the program, storage and hardware requirements were not evaluated. In the future, these requirements should be considered, although the program was seeking to reduce the number of leading signals/features extracted through large, noisy data sets used to produce timely forecasts.

Active CyberTM: What types of results have you found in your research to date? How accurate is your prediction performance for the forecast models that you have developed? How has cyber forecasting helped to reduce exposure to threats and paved the way for cost-effective, if not optimal, allocation of resources in real-life cyber defense? How are you measuring the efficacy of your forecasts?

Mr. Rahmer: It is our goal to have these answered by the end of the program. One research method showing promise develops logic that, when combined, helps determine which vulnerabilities are likely to be exploited in the near future, allowing organizations to better prioritize efforts and utilize their resources. We measure our forecasts with metrics such as precision, recall, and a quality score, which determines how closely a forecast matches an actual event (ground truth).

Active CyberTM: What is next for the CAUSE program?

Mr. Rahmer: The research towards the CAUSE main objectives will end in March 2019 when IARPA and the test and evaluation team will report their final analysis and lessons learned. Teams are continuing to work on innovative system components that have real operational utility today, and we will work to transition those to the government.

Thank you Mr. Rahmer for this quick but informative look at the CAUSE Program. Being able to generate warnings within a few days time of a possible attack would provide incredible benefits in the cybersecurity fight. I look forward to hearing more about CAUSE and its achievements in the coming year as your results start to come in and you can make informed judgments on the best methods you tested.

And thanks for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing ICS / IIoT and IoT systems, or other security topics. Also, email marketing@activecyber.net if you’re interested in interviewing or advertising with us at Active Cyber™.

About Mr. Robert Rahmer

Robert Rahmer joined the Intelligence Advanced Research Projects Activity (IARPA) in 2014 as a Program Manager, where he specializes in discovering and developing novel proactive and predictive methods for securing computational environments. He is currently leading the Cyber-attack Automated Unconventional Sensor Environment (CAUSE) research program that focuses on developing automated methods with the goal of forecasting and detecting cyber-attack events, significantly earlier than existing methods, through the use of unconventional sensors.

Before his assignment at IARPA, Mr. Rahmer served as a consultant, including to IARPA, providing technical expertise in cyber-security analysis, security engineering, and cyber intelligence analyst training to commercial, DoD, and IC customers. Prior to that, Mr. Rahmer led a large technical team that focused on reverse engineering, incident response, tactical development, and threat intelligence analysis in support of computer network operations for multiple government customers. Mr. Rahmer holds an M.S. in computer science from Johns Hopkins University and a B.S. in computer science from UMBC.